search

k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
67 stars 20 forks source link

Not compatible with SL Micro 6.0 #65

Open rdoxenham opened 2 weeks ago

rdoxenham commented 2 weeks ago

The current shipped version of k3s-selinux that we pull during SUSE Edge Image Builder runs is not compatible with SL Micro 6.0 as it ships with a much newer version of container-selinux than is being allowed by the RPM:

Problem: nothing provides 'container-selinux < 2.191.0-1' needed by the to be installed k3s-selinux-1.5-1.slemicro.noarch
 Solution 1: do not install k3s-selinux-1.5-1.slemicro.noarch
 Solution 2: break k3s-selinux-1.5-1.slemicro.noarch by ignoring some of its dependencies

The max container-selinux version we ship in the k3s-selinux policy (https://github.com/k3s-io/k3s-selinux/blob/master/policy/slemicro/k3s-selinux.spec) specifies 2.191.0-1 but the version shipped with SL Micro 6.0 is 2.211.0.

We have already tested an RPM with this check removed, and it installs the module just fine on SL Micro 6.0.

ShylajaDevadiga commented 2 weeks ago

@rdoxenham Can you share your setup or custom script that i could use to reproduce the issue.

I tried channel latest that does not have the fix on sle micro 6 and seems to be working. Below are the results:

Using channel latest without fix

ec2-user@ip-172-31-5-154:~> curl -fL https://get.k3s.io| INSTALL_K3S_VERSION=v1.31.0+k3s1 INSTALL_K3S_CHANNEL=latest sh -s - server --selinux=true
ec2-user@ip-172-31-5-154:~> cat /etc/os-release 
NAME="SL-Micro"
VERSION="6.0"
VERSION_ID="6.0"
PRETTY_NAME="SUSE Linux Micro 6.0"
ID="sl-micro"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sl-micro:6.0"
HOME_URL="https://www.suse.com/products/micro/"
DOCUMENTATION_URL="https://documentation.suse.com/sl-micro/6.0/"

ec2-user@ip-172-31-5-154:~> rpm -qa | grep selinux
libselinux1-3.5-3.1.x86_64
selinux-tools-3.5-3.1.x86_64
python3-selinux-3.5-3.1.x86_64
selinux-policy-20230523+git14.ef49ab54-1.6.noarch
selinux-policy-targeted-20230523+git14.ef49ab54-1.6.noarch
container-selinux-2.211.0-2.100.noarch
cockpit-selinux-309-5.3.noarch
k3s-selinux-1.5-1.sle.noarch
ec2-user@ip-172-31-5-154:~> kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-5-154   Ready    control-plane,master   53m   v1.31.0+k3s1

Using channel testing with fix

ec2-user@ip-172-31-1-105:~> curl -fL https://get.k3s.io| INSTALL_K3S_VERSION=v1.31.0+k3s1 INSTALL_K3S_CHANNEL=testing sh -s - server --selinux=true
ec2-user@ip-172-31-1-105:~> cat /etc/os-release 
NAME="SL-Micro"
VERSION="6.0"
VERSION_ID="6.0"
PRETTY_NAME="SUSE Linux Micro 6.0"
ID="sl-micro"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sl-micro:6.0"
HOME_URL="https://www.suse.com/products/micro/"
DOCUMENTATION_URL="https://documentation.suse.com/sl-micro/6.0/"
ec2-user@ip-172-31-1-105:~> rpm -qa | grep selinux
libselinux1-3.5-3.1.x86_64
selinux-tools-3.5-3.1.x86_64
python3-selinux-3.5-3.1.x86_64
selinux-policy-20230523+git14.ef49ab54-1.6.noarch
selinux-policy-targeted-20230523+git14.ef49ab54-1.6.noarch
container-selinux-2.211.0-2.100.noarch
cockpit-selinux-309-5.3.noarch
k3s-selinux-1.6-4.sle.noarch
ec2-user@ip-172-31-1-105:~> kubectl get nodes
NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-1-105   Ready    control-plane,master   63m   v1.31.0+k3s1